[Pidgin] PlainTextPasswords modified
Pidgin
trac at pidgin.im
Fri Feb 28 04:11:31 EST 2014
Page "PlainTextPasswords" was changed by fedor.brunner
Diff URL: <https://developer.pidgin.im/wiki/PlainTextPasswords?action=diff&version=18>
Revision 18
Comment: changing links to HTTPS
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: PlainTextPasswords
=========================================================================
--- PlainTextPasswords (version: 17)
+++ PlainTextPasswords (version: 18)
@@ -17,7 +17,7 @@
== "But other programs don't store my password in plain text!" ==
-That's true. But few of them store it in a way that's any safer. A Google search for [http://www.google.com/search?q=im+passwords "im passwords"] shows a bunch of hits for getting the passwords out of other IM clients just as easily as Pidgin.
+That's true. But few of them store it in a way that's any safer. A Google search for [https://www.google.com/search?q=im+passwords "im passwords"] shows a bunch of hits for getting the passwords out of other IM clients just as easily as Pidgin.
The very first link is a clear indication that '''''__none__''''' of these IM applications provide any sort of real password security:
* ICQ and ICQLite
@@ -107,7 +107,7 @@
== DIGEST-MD5 in Jabber/XMPP ==
-[http://www.xmpp.org/rfcs/rfc3920.html#security-mandatory RFC 3920] requires that Jabber/XMPP servers implement SASL DIGEST‑MD5 authentication method. This allows clients (and servers) to not store the password in plain-text but instead store cryptographic hash (MD5) of user name, domain and password. If the password is strong this makes nearly impossible for an attacker to recover the password.
+[https://xmpp.org/rfcs/rfc3920.html#security-mandatory RFC 3920] requires that Jabber/XMPP servers implement SASL DIGEST‑MD5 authentication method. This allows clients (and servers) to not store the password in plain-text but instead store cryptographic hash (MD5) of user name, domain and password. If the password is strong this makes nearly impossible for an attacker to recover the password.
Following downsides remain:
- If accounts.xml is revealed, the attacker is still able to login to the Jabber account (but not to, say, email account, even if they had the same password)
@@ -116,4 +116,4 @@
Currently (as of 2008) Pidgin does not store the hash. elb: "I would accept a good patch to implement that"
-As of 2010, the draft version of the next XMPP standard specifies [http://tools.ietf.org/html/rfc5802 SCRAM-SHA-1] as the mandatory-to-implement mechanism, replacing DIGEST-MD5, though not all servers support it currently.
+As of 2010, the draft version of the next XMPP standard specifies [https://tools.ietf.org/html/rfc5802 SCRAM-SHA-1] as the mandatory-to-implement mechanism, replacing DIGEST-MD5, though not all servers support it currently.
-------8<------8<------8<------8<------8<------8<------8<------8<--------
--
Page URL: <https://developer.pidgin.im/wiki/PlainTextPasswords>
Pidgin <https://pidgin.im>
Pidgin
This is an automated message. Someone added your email address to be
notified of changes on 'PlainTextPasswords' page.
If it was not you, please report to datallah at pidgin.im.
More information about the Wikiedit
mailing list